-
Notifications
You must be signed in to change notification settings - Fork 438
60 lines (60 loc) · 1.97 KB
/
trivy_images.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
---
name: trivy-images
on:
push:
branches:
- main
schedule:
- cron: "37 19 * * *"
permissions:
contents: read
jobs:
get-dev-image:
uses: ./.github/workflows/get_image.yaml
with:
image-base-name: "dev_image_with_extras"
image-scan:
strategy:
fail-fast: false
matrix:
artifact: [cloud, operator, vizier]
runs-on: ubuntu-latest-8-cores
needs: get-dev-image
container:
image: ${{ needs.get-dev-image.outputs.image-with-tag }}
permissions:
actions: read
contents: read
security-events: write
steps:
- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
- name: Add pwd to git safe dir
run: git config --global --add safe.directory `pwd`
- name: Use github bazel config
uses: ./.github/actions/bazelrc
with:
download_toplevel: 'true'
BB_API_KEY: ${{ secrets.BB_IO_API_KEY }}
- name: Build images
run: |
./scripts/bazel_ignore_codes.sh build \
--//k8s:image_version=nightly --config=x86_64_sysroot \
//k8s/${{ matrix.artifact }}:image_bundle.tar //k8s/${{ matrix.artifact }}:list_image_bundle
- name: Load Images
run: |
docker load -i bazel-bin/k8s/${{ matrix.artifact }}/image_bundle.tar
- name: Scan Images
# yamllint disable rule:line-length
run: |
mkdir -p sarif/${{ matrix.artifact }}
./bazel-bin/k8s/${{ matrix.artifact }}/list_image_bundle | xargs -I{} sh -c 'trivy image {} --format=sarif --output=sarif/${{ matrix.artifact }}/$(basename {} | cut -d":" -f1).sarif'
# yamllint enable rule:line-length
- run: |
for f in "sarif/${{ matrix.artifact }}/"*; do
jq '.runs[].tool.driver.name = "trivy-images"' < "$f" > tmp
mv tmp "$f"
done
- uses: github/codeql-action/upload-sarif@04df1262e6247151b5ac09cd2c303ac36ad3f62b # v2.2.9
with:
sarif_file: sarif/${{ matrix.artifact }}
category: trivy-images